Oracle Blog

do it. think it. blog it! ...

Friday Sep 29, 2006

K. I admit, the 2.0 syndrome has hit me too. I have been watching all these 2.0 applications sprout up, and am taken up by it. I have seen numerous applications branded 2.0, and have seen social bookmarking sites like digg, netscape (my very own hac.kers.us), del.icio.us, wikipedia, community driven sites, blogs across multitudes of platforms, blog aggregators like planet identity, etc.

I wondered if all these social 2.0 sites really made any money. I then thought of starting an experiment…. just to see what community involvement really meant. Is is just a bunch of folks who want to be heard, or folks who really involve themselves in the technology that they preach. But being in the identity space, I wanted to come up with a cocktail recipe that had a flavor of wiki’s, aggregation, tags, community commenting, the ability to modify anything, the ability to post anything. So I though of putting up a RSS feed aggregator which enabled folks to not only submit their feeds, but also vote on them, archive them, publish them, comment on individual posts, tag the articles etc… I used pat’splanetidentity’s opml feed for a starting point, and here’s what I came up with. The IDENTITY BlogReGator

Here’s the thought behind it. planetidentity started off as an aggregator for IDENTITY related blogs. But not every blog owner/blogger blogs about identity all the time, there’s numerous posts about cats, dogs, bicycles, airplanes, war, terrorism, saussage and eggs, and even sex. So basically what we end up with is just another aggregator. I wondered on how an aggregator could be setup to filter out the non subject matter related posts. Filtering on tags was one way, filtering on categories was another, but not everybody uses tags and categorizes their posts. I wanted to setup a community driven aggregator, where the community itself would decide on which posts from the aggregated feeds are relevant to the subject matter, the community would tag the posts, publish them, archive them and also edit them and comment on them. Basically this aggregator follows the OPEN DOORS policy where the community would drive the content and it’s visibility without the hassle submitting forms… no login, no authentication… (no infocard, well, if I am to accept any infocard presented, why should I accept any crediential at all, I’m gonna let everybody in) the community itself administers the site.

here’s what you can do… check out the site, play around with the several features that I have embedded into it (I’m in the process of embedding more as time goes by), submit your own feeds if you’d like, publish other posts if you find them relevant, delete posts if you think they are stupid, comment on others posts, edit other comments, and posts… basically let yourself loose and do anything you’d like…

All I want out of this is to see how much this community that cares so much about identity, web2.0 and community driven sites really involve themselves. This is PoC 2.0.

I’m gonna let the results themselves speak for itself. No involvement means nobody really gives a damn. It’s all hogwash… small talk… If the involvement increases, well, I wonder what the point really is ? thats something I would invesi=tigate and learn from later. and if folks simply launch a war by modifying the content of each others feeds/posts, then we are at war a 2.0 war, and if someone deletes everthing from my site, that someone really hates me… show me some love folks, check out the site and let me know what you think of it?

here’s the URL to my PoC 2.0 again : IDENTITYGANG.COM -> make this yourplanetidentity. Pat can have his planet(just a joke pat, no offense. i’ve been told that you have a great sense of humor.)

Monday Apr 03, 2006

Well, I do not wanna say that I buy the concept of User Controlled Identities in it's "entirety" But however I'd like to say that I am trying pretty hard to buy into the "concept". Amartya Sen, The co-author of "Identity and Violence" says that the "freedom to choose one's identity affiliations is the antidote to divisive extremism"

Well. I'd not hesitate to do my part in playing a role to eliminate divisive extremism. And just to add to that I'm buying Kim's concept.. slowly.. very very very very slowly...

However while on the "identity" subject, like the "rest of the world"... I too have a question for Kim. Whats with this symmetric proof key in the SAML assertion? Like me, I bet there are several-several folks out there who are awaiting an answer... Kim Please... Could you ?PLEASE...

A few folks have been having issues using self signed server certificates to invoke the Identity Selector WinFX Component. Here's a short walkthorough on how to use a self signed certificate and save a few $$$'s from having to but a Certificate from a Trusted Authority.

The key is to use the sha1rsa Signature Algorithm instead of using the default md5rsa Signature Algorithm.

Create a server.pem file as by concatenating the server.key file and the server.crt file as follows:
cat /etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.crt/server.crt > /etc/httpd/conf/server.pem

restart your webserver.

Your self signed certificate should now invoke the identity selector without any issues...

NOTE : Remember folks. If youre learning anything at all from all of us who are blogging our experiences and processes about getitng infocard to work in all these various platforms and scenarios to PLEASE "pay it forward".

Saturday Apr 01, 2006

After several email, I thought that it would be best to point folks to a direct download of ie7 Build 7.0.5296.0(The version that works). So folks. Please stop emailing me for this version. Simply download it from : radpishare.de. If you send me emails, please do not be surprised when I reply with a link to this blog post.

And as far as the PHP and Java Code release goes (for both the RP and the infocard creator)... Patience my dear Watson, Patience... We've all waited so long for the right folks to release their code.. So Bear with me/us and have a little more patience.

Basically what you have here is an ephemeral symmetric encryption key, which has itself been encrypted with the Public Key of the SSL Cert for the website InfoCard is interacting with. As you can see from the metadata provided in the KeyInfo fragment, the key is encrypted using RSA with OAEP encoding and SHA1, using the certificate identified in the SecurityTokenReference with the provided fingerprint (the fingerprint is a SHA1 hash of the cert bytes)

Your first job is to decrypt that encryption key. Step one : remove the Base64 encoding. Step 2 : you need to write a function which takes the private key for the cert referenced by the fingerprint, along with the data as input, and decrypts in this manner RSA-OAEP

Once you’ve successfully decrypted the key ( it should be 256 bits), you can use it to decrypt the token. As you can see in the XML, you need to use AES with a ChainedBlockCipher. Decrypt the token (Don’t forget to strip the initialization vectors...thanks Gary).

The next step would be to quickly check the validity period on this Assertion to make sure it’s still fresh. You might also want to check the AssertionID against a table of previously seen assertions to prevent replay...depends on your level of paranoia.

On to signature validation...you should follow the steps outlined in XML-DSIG, but to paraphrase, check the digest of the canonicalized assetion against the digest in the SignedInfo block, and then validate the signature of the canonicalized SignedInfo using a PublicKey constructed from the provided KeyInfo.

Now, what’s bugging me is the use for the Symmetric Proof key provided in the Subject of the Assertion. Super Pat and I discussed this for awhile, and since it’s not used immediately in this protocol exchange, our best guess is that it’s used in subsequent interactions with the service, although I must admit the InfoCard docs are a little fuzzy on this subject. If anyone can fill me in, I’d appreciate it!

Now since "infocard walled garden" has been made not so mystical, Here's are my thoughts.

The OBJECT tag required to invoke the Identity Selector is a cool tool, But on the RP side, the RP is just a listener that received tokens "pushed" to it. One does not really need the use of a InformationCardSignInHelper (ie: icardie.dll for ie7)to invoke the Identity Selector (WinFX CTP). One can easily write a tool, that creates these tokens using random data and start pushing these tokens to RP's. I see this as an extremely simple way to set up a DoS attack.

So are infocards really "secure"?

Would they make the common man's life easier?

Would they make RP's more vulnerable to DoS attacks?

Like I said earlier, I am having a extremely hard time trying to digest the First Law from the "Laws Of Identity". For some reason I tend to lean strongly towards not being able to digest "user control". Hopefully over time, I shall grow out of it and be able to digest the theory.

Wednesday Mar 29, 2006

Chuck Mortimore has just deployed the world first Java Based Infocard Relying Party app. I'm following up soon with a PHP based Relying Party app... (Chuck beat me to it.. even though we've been constantly communicating and collaborating.. Guess Chuck's had the advantage of time... But However, We played tag-team and managed to get it to work !!!) Getting Java to work was easy.. PHP seems to be a bit harder with decoding and parsing encoded XML. I always thought that PHP was easier.. But was proven wrong this time... I'm trying to do exactly the same thing in PHP as the Java code and all I get is garbage. There must be something different in the urldecode / base64_decode functions in PHP and the way in which it handles "special characters".

HOWEVER: Chuck's the one who deserves 100% credit for deploying it first.

Kim, Please publish your code... not the relying party provider (RP) code, We got that already.. We would like to see the WinFx Identity Invoker Code... (please... please... please... please... please...)

For those who appreciate HARD WORK. Take a moment to toast Chuck. Infinite cheers Chuck !!! You ROCK !!!

Open Source rocks !!!..... Kim.. break down those walls. Let East Meet West. Let infocard be really "open". Please do not restrict us to work within those "infocard walled gardens"... please let us open up channels to securing the identity space. & ah !! in-ter-oh-por-ate !!

Tuesday Mar 28, 2006

LOL... had some time to kill..... and so I made a few images that you could use as your infocard image to help you identify the different infocards you create and distinguish between them instead of relying on the infocard super-imposed name.

I know that most of the sites that would accept this card would also have a "confirm registration" email sent out. Well, I shall soon do something to address that too. The email address registered on this card is john.doe.infocard-AT-gmail-DOT-com. So, what I shall also do is setup gmail forward to forward all emails to a_secret_email_address@blogger.com, and then setup a blog to publish all those emails received. Well, then I could probably write a javascript or any utility to auto-click & confirm all url's in the posts, or to parse the contents of emails received and to a HTTPrequest.get() on all URL's that the blogpost contains. But since that would take some effort, and is not something I am too keen on doing anyway, and also since I currently do not have too much stale time on my hands, I shall do that only if I see the card being used... or I may also decide against it and keep this as "insider" info

Guess I would be wasting too much time on this. so the idea is now officially canned.ROTFL.

NOTE : This is in no way an attempt to initiate a world-wide attempt to present John Doe's infocard as a mechanism to break all web service's/application's that may someday accept infocard as it's auth medium. I received a few emails and phonecalls to clarify the intent here..
So Here's a public post of the intent. If you see that this can be used as a way in which tens of thousands of folks use a "common" credential (with User Control and Consent) to authenticate, and even deceive the "registration confirmation" system into accepting the credential, then I hope you see the big picture. These AuthN mediums are not for a person to person authentication system but for a "automated" system. I see this as a means in which hackers have a platform to authenticate into systems, initiate a new breed of DoS attacks, Hijack Identities, & misuse the system. Please see this not as an attempt to "attack" but as an attempt to show you that there can be several ways in which a system's stability can be compromised using extremely simple means. It does not require a rocket scientist to do such tasks. & mind you there are several folks "out there" who do this just for the kicks. So when you folks read about infocard and it's capabilities in all its basking glory, please remember not to tie yourselves down to a "infocard walled garden" and think outside of the BOX.
As "WE" work on securing the system/'s even more, the "outsiders" would always find innovative ways of breaking it. Therefore "WE" need to work as a "TEAM" and CO-LAB-OH-RATE!!
Please... Lets not work on "proprietorizing" IDENTITY. We got to have a solution that the industry sees as something that is SECURE, OPEN & more importantly INTER-OPERABLE. Remember it takes 2 to tango.